ansible/docs/guides/site-lxc-git.md

# Site LXCs — git deploy (levkin / caseware / auto / portfolio)

## Remotes (correct)

Use **`git.levkin.ca`**, not `10.0.30.169`:

```
git@git.levkin.ca:ilia/levkin.ca.git
git@git.levkin.ca:ilia/caseware.git
git@git.levkin.ca:ilia/auto.git
git@git.levkin.ca:ilia/sdetProfile.git
```

Gitea VM is **`10.0.10.169`** on pve10. Public `git.levkin.ca:22` hits your home IP and is **closed**; git SSH uses LAN IP via `~/.ssh/config`.

## SSH config (on site LXC, as root)

```ssh
# /root/.ssh/config
Host git.levkin.ca
    HostName 10.0.10.169
    User git
    IdentityFile ~/.ssh/id_ed25519
    StrictHostKeyChecking accept-new
```

## Deploy keys

Each LXC should use its **own** deploy key in Gitea (**Repo → Settings → Deploy Keys**).
Gitea allows a public key only **once per server** — if you see *“already been added to the server”*, generate a repo-specific key:

```bash
# On portfolio LXC 219 (via pve10)
pct exec 219 -- cat /root/.ssh/id_ed25519_gitea.pub
```

Portfolio uses `~/.ssh/id_ed25519_gitea` in `/root/.ssh/config` for `Host git.levkin.ca` (`IdentitiesOnly yes`).

| LXC | Repo | Key file / comment |
|-----|------|---------------------|
| 215 | caseware | `~/.ssh/id_ed25519` → `root@caseware` |
| 216 | auto | `~/.ssh/id_ed25519` → `root@auto` |
| 219 | sdetProfile | `~/.ssh/id_ed25519_gitea` → `deploy-portfolio-sdetProfile` |
| 220 | levkin.ca | `~/.ssh/id_ed25519_gitea` → `deploy-levkin-levkin.ca` (add in Gitea UI) or HTTPS clone with read token |

## levkin.ca routes (LXC 220)

| Public URL | Served from |
|------------|-------------|
| `https://levkin.ca/` | `www/index.html` (spec) |
| `https://levkin.ca/folders/` | `www/folders/` (stack-folder) |

Build before push:

```bash
cd ~/Documents/code/levkin.ca
npm run build:www
git add www/ && git commit -m "Rebuild www" && git push
```

On LXC:

```bash
pct exec 220 -- bash -c 'cd /var/www/levkin && git pull origin main'
```

## Push / pull

```bash
# On LXC (via pve10)
pct exec 215 -- bash -c 'cd /var/www/caseware && git pull origin main && git push origin main'
pct exec 216 -- bash -c 'cd /var/www/auto && git pull origin master && git push origin master'
pct exec 219 -- bash -c 'cd /var/www/portfolio && git pull origin master && git push origin master'
pct exec 220 -- bash -c 'cd /var/www/levkin && git pull origin main'
```

After editing `index.html`, commit on the LXC, push, then hard-refresh the public site.

## Gitea VM SSH (git@10.0.10.169)

If deploy keys fail after adding them in the UI:

1. Keys live in `/var/lib/gitea/.ssh/authorized_keys` (regenerated by Gitea).
2. OpenSSH logs in as user **`git`** — copy/sync that file to **`/home/git/.ssh/authorized_keys`** (`chown git:git`, mode `600`).
3. `command=` must run **`gitea serv`** as user **`gitea`** (e.g. `sudo -n -E -u gitea /usr/bin/gitea …`) with `SSH_ORIGINAL_COMMAND` preserved in sudoers.

Portfolio uses repo path **`ilia/sdetprofile`** (lowercase on disk).